如何使用 Node/Typescript 签署 S3 url?
How can I get signed S3 url using Node/Typescript?
在 FaaS 中使用 Node + aws-sdk,我试图获得预签名 url 以将文件上传到 S3 存储桶。当我上传文件时,我得到以下响应
InvalidAccessKeyId我们的记录中不存在您提供的 AWS 访问密钥 ID。
// getUploadUrl
import { FunctionEvent } from 'graphcool-lib'
import * as AWS from 'aws-sdk'
const BUCKET = process.env['BUCKET'];
const AWS_ACCESS_KEY_ID = process.env['AWS_ACCESS_KEY_ID'];
const AWS_SECRET_ACCESS_KEY = process.env['AWS_SECRET_ACCESS_KEY'];
const signedUrlExpiresSeconds = 60*10;
AWS.config.update({
accessKeyId: AWS_ACCESS_KEY_ID,
secretAccessKey: AWS_SECRET_ACCESS_KEY,
region: 'eu-west-2'
});
const s3 = new AWS.S3({ apiVersion: "2006-03-01" })
interface EventData {
fileName: string
}
export default async (event: FunctionEvent<EventData>) => {
if (!event.context.auth || !event.context.auth.nodeId) {
return { error: 'No user logged in.' }
}
try {
const { fileName } = event.data;
// Pre-signing a putObject (asynchronously)
const params = { Bucket: BUCKET, Key: fileName, Expires: signedUrlExpiresSeconds }
const uploadUrl: string = await s3.getSignedUrl('putObject', params)
if (!uploadUrl) {
return { error: 'Unable to get presigned upload URL from S3' }
}
return { data: { uploadUrl } }
} catch (e) {
console.log(e)
return { error: 'An unexpected error occured during password change.' }
}
}
这是我在 AWS IAM 上的权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
我正在使用以下方式上传文件
curl -v -T test.pdf presignedUrl
有什么想法吗?
这是生成的路径
"https://my-aws-s3-domain.s3.eu-west-2.amazonaws.com/test.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXX1222%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20171222T153846Z&X-Amz-Expires=600&X-Amz-Signature=XXXXXX-268d&X-Amz-SignedHeaders=host"
我将 AWS 配置更新为 AWS.config.update({ region: 'eu-west-2' });,因为它会自动从 process.ENV 中获取 AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY(正如 Michael 所指出的)。
我再次尝试并收到 Access denied 响应,因此我将 IAM 策略更改为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-s3-bucket-name"
}
]
}
它仍然给出访问被拒绝错误。
事实证明 Graphcool 的环境变量中存在错误,这意味着 AWS 密钥没有更新。
可能与此问题相关:
https://github.com/graphcool/framework/issues/799
编辑 - 在 Graphcool 中,AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY 是受保护的环境变量。所以你不能使用它们
在 FaaS 中使用 Node + aws-sdk,我试图获得预签名 url 以将文件上传到 S3 存储桶。当我上传文件时,我得到以下响应
InvalidAccessKeyId我们的记录中不存在您提供的 AWS 访问密钥 ID。
// getUploadUrl
import { FunctionEvent } from 'graphcool-lib'
import * as AWS from 'aws-sdk'
const BUCKET = process.env['BUCKET'];
const AWS_ACCESS_KEY_ID = process.env['AWS_ACCESS_KEY_ID'];
const AWS_SECRET_ACCESS_KEY = process.env['AWS_SECRET_ACCESS_KEY'];
const signedUrlExpiresSeconds = 60*10;
AWS.config.update({
accessKeyId: AWS_ACCESS_KEY_ID,
secretAccessKey: AWS_SECRET_ACCESS_KEY,
region: 'eu-west-2'
});
const s3 = new AWS.S3({ apiVersion: "2006-03-01" })
interface EventData {
fileName: string
}
export default async (event: FunctionEvent<EventData>) => {
if (!event.context.auth || !event.context.auth.nodeId) {
return { error: 'No user logged in.' }
}
try {
const { fileName } = event.data;
// Pre-signing a putObject (asynchronously)
const params = { Bucket: BUCKET, Key: fileName, Expires: signedUrlExpiresSeconds }
const uploadUrl: string = await s3.getSignedUrl('putObject', params)
if (!uploadUrl) {
return { error: 'Unable to get presigned upload URL from S3' }
}
return { data: { uploadUrl } }
} catch (e) {
console.log(e)
return { error: 'An unexpected error occured during password change.' }
}
}
这是我在 AWS IAM 上的权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
我正在使用以下方式上传文件
curl -v -T test.pdf presignedUrl
有什么想法吗?
这是生成的路径
"https://my-aws-s3-domain.s3.eu-west-2.amazonaws.com/test.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXX1222%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20171222T153846Z&X-Amz-Expires=600&X-Amz-Signature=XXXXXX-268d&X-Amz-SignedHeaders=host"
我将 AWS 配置更新为 AWS.config.update({ region: 'eu-west-2' });,因为它会自动从 process.ENV 中获取 AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY(正如 Michael 所指出的)。
我再次尝试并收到 Access denied 响应,因此我将 IAM 策略更改为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-s3-bucket-name"
}
]
}
它仍然给出访问被拒绝错误。
事实证明 Graphcool 的环境变量中存在错误,这意味着 AWS 密钥没有更新。
可能与此问题相关: https://github.com/graphcool/framework/issues/799
编辑 - 在 Graphcool 中,AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY 是受保护的环境变量。所以你不能使用它们